First things first, DO NOT STORE CREDIT CARDS unless you really really have to.
- If you know you are un-necessarily storing credit cards, delete them and delete them with a deletion tool so there is no way they can come back to haunt you.
- If you have to retain credit card data make sure they are encrypted and never ever store the CVV/CV2/etc. As a short term fix, to get you through the next couple of weeks encrypt hard drives and put in a plan to have effective credit card encryption and tokenization in place for early 2012. For a better understanding of how tokenization can help you reduce the risks and the scope of PCI DSS download a white paper called “Eight Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data” here.
- Check to see if there are cards being stored that you do not know about. In a recent survey SecurityMetrics found an “8 Percent Increase of Unencrypted Cards”, read the press release here. There are some excellent scanning tools that will scan your network and devices for the existence of credit cards so you can then decide to delete or secure.
You now need to revisit the Payment Card Industry Data Security Standard’s Version 2 to ensure you are meeting as much of the standard as possible. The best place to start is with the PCI DSS Prioritized Approach (find it here). The Prioritized Approach will ensure the efforts you make are directed towards the most important areas with the quickest wins.
The Prioritized approach consists of 6 key milestone and Merchants are advised to start with number 1.
- Milestone 1 Remove Sensitive Authentication Data and limit data retention
- Milestone 2 Protect the perimeter, internal, and wireless networks
- Milestone 3 Secure payment card applications (e.g. PA DSS approved)
- Milestone 4 Monitor and control access to your systems
- Milestone 5 Protect stored cardholder data
- Milestone 6 Finalize remaining compliance efforts, and ensure all controls are in place
Another reason to revisit your PCI DSS posture are revealed in Verizon‘s 2011 Global report which reports that many organisations lose sight of compliance after their initial compliance activity. Some specific findings from the report are below:-
- 21 % of organizations were fully compliant at the time of their Initial Report on Compliance (IROC)
- 78% of organisations met all test procedures at the IROC stages
- 20% of organizations passed less than half of the PCI DSS requirements
- 60% scored above the 80% mark
The full review of the Verizon report is here.
If you want to look at a range of other documents and guides have a visit to my PCI Resources page here.
Good luck with your Christmas and the New Year business and compliance activities.